Solved: Lookup Tables and Comments

jchensor · ‎10-21-2011

I currently am using a lookup table to match Host Names with a "grouping" category. However, there are a ton of entries in there and the order I have them in the file isn't directly obvious, so to make it easier for me to search through and edit the file, I'd love it if I could add "comments" to the lookup file. Is this possible? Can we start lines with a ':' or a '#' character or something and cause that line to be ignored during the lookup process?

Drainy · ‎10-21-2011

Well its a CSV so you can't comment it.
But, you could add a comment field and simply not reference it during the lookup process? That way it will idle there un-used

UPDATE:

One way could be,

host,ip,comment
BOB,127.0.0.1,danger danger!

But you could avoid referencing the comment field completely

View solution in original post

Drainy · ‎10-21-2011

Well its a CSV so you can't comment it.
But, you could add a comment field and simply not reference it during the lookup process? That way it will idle there un-used

UPDATE:

One way could be,

host,ip,comment
BOB,127.0.0.1,danger danger!

But you could avoid referencing the comment field completely

Drainy · ‎10-21-2011

have a look at my updated answer for an example of another way to do it

jchensor · ‎10-21-2011

Yeah, I was just thinking that a "generic" Host Name like "#comment#" that would never actually be the name of a machine could just be treated as a comment. I was hoping that maybe Splunk's lookup process would have its own construct built-in that ignored certain lines. But you're probably right in that it most likely wouldn't. ^_^

Lookup Tables and Comments

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...